04 Apr 2018 18:27 IST

Rethinking the approach to privacy

Studies say customers are likely to remain loyal to firms that provide both transparency and control

There was a time when the world was significantly less connected than it is today. Our actions were more physical than digital. If we had an embarrassing moment, it would usually be between good friends and in person, and would mostly be forgotten or remembered as a fond memory.

There was no privacy-invading technology to amplify our mistakes, repackage them and spread them around the world at the speed of light. Our physical world had short memories and was more forgiving. The online world, however, does not forget. The digital footprint of our mistakes and indiscretions will live on forever.

Some of the confidential information that shows up on the internet is due to foolish and irresponsible behaviour on our own part. However, a large part of privacy invasion and violations of business confidentiality are a result of deliberate attempts by powerful advertising companies, unscrupulous data brokers, data breaches, and so on.

Data breaches

In these cases, the end user is innocent. According to industry analysts, over five million records are lost, stolen, or hacked every single day. Privacy invasion has the potential to destroy lives and data breaches can wipe out well-established businesses.

According to the 2017 Cost of Data Breach Study by Ponemon Institute, the average per capita cost of data breach was $225 in the US and $64 in India. The average organisational cost was $7.35 million in the US and $1.68 million in India.

The digital footprint of our lives, families and businesses is growing exponentially. Every single day, millions of people create digital assets (photos, videos, documents, texts, et al). Businesses collect data on consumer preferences, purchases, trends and much more with or without direct consent. The total amount of data in the world is set to rise steeply to 44 zettabytes by 2020. To put that in perspective, if an average, 4 MB song runs for four minutes, one petabyte of songs will run non-stop for over 2,000 years. And one zettabyte is equal to 1,000,000 petabytes!

Net neutrality

Technology advances have always been, and continue to be, a huge, powerful force. This juggernaut effect is compounded by intense lobbying by tech companies and vested interests.

For instance, Facebook’s well-funded and extensive ‘Free Basics’ initiative in India. It was veiled and promoted as something that would give free internet access to billions of people, while the reality was very different. It was just a way to promote Facebook’s own interests, an attempt to increase its monopoly power.

The Telecom Regulatory Authority of India (TRAI) must be lauded for ensuring that Free Basics never saw the light of day. An average Facebook user might have found it challenging to understand how net neutrality could have been compromised had the company’s plan succeeded. In such instances, it may help to remember the adage, ‘There’s no such thing as a free lunch’. If a product is offered for free, it’s very likely that your personal, private data is the fee.

Privacy and responsibility

It is time to hit the pause button and re-think our approach towards privacy. Privacy is about respecting individuals, about reputation management. The stakes are highest for businesses.

Respecting privacy is vital to gaining consumer trust. Large companies, specifically tech companies, do have watertight privacy and confidentiality contracts when it comes to their own employees’ obligations towards the employer, but are found wanting in this respect when it comes to obligations towards their customers.

Privacy protection, and not privacy invasion, should be seen as an opportunity to create a long-term, durable loyalty with customers. A ‘privacy by design’ approach is an essential element of being a good business. (According to Wikipedia, privacy by design is not about data protection but designing or engineering processes so that data doesn’t need protection.)

When companies fail to put privacy first

According to Gartner, the technology industry spent roughly $86 billion on cyber security in 2017, and yet, there were plenty of headline-making breaches.

Researchers Kelly D Martin, Abhishek Borah and Robert W Palmatier have pointed out in their study Data Privacy: Effects on Customer and Firm Performance, that a staggering 80 per cent of Fortune 500 firms neither tell customers how they use their data nor do they offer any control. These are the organisations that are at the greatest risk of financial harm. According to the study, firms that failed to explain their data privacy practices had a 1.5 times larger drop in stock price than firms with high transparency.

The most recent and high-profile case would be where Facebook’s value slid by over $100 billion after a whistle-blower revealed a vast data breach that affected millions. This is not the first time the social media giant has taken users’ personal information for granted, though the debate is more intense this time around.

In late 2006, Facebook’s News Feed feature was showing every little personal moment (when you are friending or breaking up with someone) to others in users’ network, leading to a virtual user revolt. A year later, Facebook Beacon sent data from external websites to Facebook, with the purpose of allowing targeted advertisements without consent. A class-action lawsuit for privacy violation was filed against Beacon.

In 2014, a Facebook data scientist apologised for mood-manipulation experiments on thousands of its users. The list is almost endless, and increasingly daring and dangerous experiments are being conducted.

Facebook has since apologised and is in serious damage control mode. But even as the debate continues, there are hundreds and thousands of applications out there, violating users’ privacy and business confidentiality every minute of the day.

When companies do put privacy first

Studies have shown that customers are more forgiving and more likely to remain loyal to firms that provide both transparency and control. These customers are more trusting and provide more accurate data to the firms and are also likely to put in a positive word for the companies.

These firms are transparent about the information they gather, while allowing customers substantial control or say on how the information will be shared and used. Sadly, a very small percentage of firms fit this profile, according to studies.

There’s an old saying: ‘They may forget what you said — but they will never forget how you made them feel’. Nothing fits more than the prevailing atmosphere of the digital economy today.

The path ahead

Saying no to innovation and everyday conveniences offered by technology is not a practical solution. Policy initiatives alone are not enough. A ‘privacy by design’ approach, firmly rooted in technology that can be deployed at scale, is needed to complement policy initiatives. Privacy must be incorporated into the data layer itself with technologies like modern, performant encryption.

Encryption is the process of encoding confidential information in such a way that only authorised parties can access it. It is a highly effective method for data security on the cloud. However, legacy encryption techniques have one major drawback — they drastically reduce data usability.

Standard encryption locks and hides the data you need to run your business everyday. What is needed is the twin benefit — the security that encryption enables while still being able to use data simultaneously. This can be achieved by newer encryption techniques, such as homomorphic encryption.

It shrinks the attack surface for organisations and individuals alike, at a time when our dependence on cloud services is rapidly increasing. It’s like having your own private cloud, on any cloud.

(Debapratim Purkayastha is the Associate Dean, ICFAI Business School, and Bhaskar Medhi is the Co-founder and CEO of Ziroh Labs)